The Evolution of the Ransomware Landscape Over the Last Five Years

Since WannaCry dramatically drove the potential severity of the ransomware five years ago, the ransomware landscape has been constantly evolving. Companies’ preparation in the face of ransomware attacks has changed less over the same period. In the last few years, the ransomware landscape has established itself as one of the most difficult security concerns for companies across all sectors. While WannaCry is not as widespread as it was initially, it remains a dangerous threat that appeared on some vendor lists of top malware threats. According to most accounts, companies have been better at patching vulnerabilities and replacing obsolete and outdated software. Some companies and regions continue to use the vulnerable version of the Server Message Block (SMB) protocol that WannaCry used to spread like wildfire.

Ransomware Landscape Evolving

EternalBlue, the vulnerability utilized in the WannaCry attacks, is still being used in most attacks against the SMB protocol. Patching and vulnerability management programs along with threat detection, remediation, and response continue to pose challenges for businesses. Ransomware and how it’s being used is evolving and many attacks are highly targeted with hands-on tactics for maximum effectiveness. Multiplatform tools, including Conti, BlackCat, and DeadBolt are becoming more common with their ability to attack numerous operating systems. Additionally, the growth of ransomware-as-a-service (RaaS) products has lowered the entry barrier for common cybercriminals, while encouraging more businesslike structures and processes within the criminal enterprise. A large majority of ransomware operations now include data theft and denial-of-service attacks as additional forms of extortion.

Over the previous five years, the ransomware industry has developed new methods like auctioning data and blackmailing customers or new techniques, including more complex virtual machine escapes and persistence. The increase in the ransomware market share is a good indication of how WannaCry sparked increased interest in ransomware. WannaCry first appeared in 2017 and quickly spread to over 300,000 global computers. Even though many described it as ransomware, one of the main functions of WannaCry was to wipe data clean from infected systems. Numerous organizations, including the United Kingdom’s National Health Service, were affected by the outbreak.

According to the United States Department of Justice, the WannaCry malware and the attacks have been connected to North Korea’s Lazarus Group. Researchers have calculated that the malware has caused more than $1 billion in damages over the years. The malware is spread using EternalBlue, a US National Security Agency (NSA)-developed exploit, to target a critical remote code execution vulnerability (MS17-010) in Microsoft’s Server Message Block 1.0 (SMBv1) file-sharing protocol. Once WannaCry is installed on a system, it quickly spreads to other devices running a vulnerable SMB version. Even though Microsoft released a patch for the SMB flaw more than a month before WannaCry, millions of computers were unpatched against the malware.

Threat operators are still using the EternalBlue exploit to infect enterprise systems with WannaCry and other malware. According to a recent attack analysis over a three-month period, the EternalBlue exploit is used in 92% of all attacks on SMB port 445. There are still unpatched machines because of the continuous delays in companies updating their infrastructures, and threat operators are always looking to exploit those systems. Even though newer, more secure versions of the file-sharing protocol have been around for years, a recent survey shows that 68% of respondents admitted to still using SMBv1. At the upcoming RSA Conference (RSAC), an organization will examine the challenges companies face in protecting themselves against ransomware attacks in a session called, “What Will It Take to Stop Ransomware?”

Since 2014, SMBv1 has been deprecated, however, 68% of companies are still running SMBv1 and other organizations, knowingly or unknowingly, have been running outdated, insecure, or unencrypted protocols. The risk is enormous and SMBv1 does not need to be installed on every device in an environment to launch a catastrophic attack, just on one. According to an information security specialist, companies are less vulnerable to WannaCry now, however, many companies haven’t updated to MS17-010 and their SMB installations remain vulnerable to the EternalBlue exploit. Company patch adoption falls behind vendor updates. Companies will struggle to stay current with new software releases and that’s why they need to remain on top of cybercriminal innovation.

In 2017, the ransomware landscape was one of the most dominant threats and will continue to be a major threat in 2022. Worm-like ransomware has gone from being an emerging threat to a standard for ransomware attacks. Additionally, using exfiltration techniques to conduct double extortion was uncommon in 2017, but it’s very common now. Since the WannaCry attack, the ransomware landscape has evolved in other ways. Researchers discovered a trend of using ransomware as a decoy in state-sponsored attacks, cyber warfare, and criminal activities after analyzing the threat landscape. WannaCry, NotPetya, and WhisperGate were wipers disguised as ransomware deceiving victims into thinking if they paid a ransom, they would get their data back. Threat operators are utilizing ransomware to distract victims from their true motives.

Ransomware attacks are now more customized and tailored compared to those in the past, spreading indiscriminately in an automated method. Attacks are tailored and customized for each targeted organization and what’s critical to them, whether it’s patients’ information from healthcare providers or continued systems operations critical to manufacturing companies.

Reports discovered that ransomware groups are taking sides in geopolitical conflicts, including Russia’s war in Ukraine. The Conti ransomware family has partnered with Russian interests, while others, including the Ukrainian IT Army, are on the opposite side. The alignment can have an impact on targeted organizations. WannaCry served as a wake-up call for many companies when it came to patching practices, and it resulted in stronger vulnerability management programs. However, many companies prioritize operating system patching above updating essential applications, including Java, Office, and Adobe products, which are installed throughout the environments. Basic security hygiene, including secure network architecture, eliminating unwanted attack surfaces, and enforcing least privilege around Active Directory and ‘crown jewels’ systems are essential for ransomware preparedness.

As ransomware groups are continually evolving their methods and techniques, companies must have a response plan when dealing with ransomware attacks and remain alert to the current ransomware landscape. At SpearTip, our certified engineers work continuously at our Security Operations Centers 24/7/365 monitoring companies’ networks for potential ransomware threats and are ready to respond to events at a moment’s notice. We assess the overall cyber maturity of companies’ network configurations, security tools, personnel security measures, and organizational preparedness and capabilities. SpearTip examines companies’ security posture from the top down to improve the weak points in their network. The ShadowSpear Platform provides cloud-based solutions collecting endpoint logs and detecting unknown and advanced threats with comprehensive insights using unparalleled data visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.